Peter M. Groen / oletools

Commit b56f9ef7231695f2414409832d537fff77de6bce

Authored by Philippe Lagadec
1 parent 732e9a0a

olevba: added DridexUrlDecoder from James Habben

Inline Side-by-side
Showing 3 changed files with 45 additions and 0 deletions
oletools/thirdparty/DridexUrlDecoder/DridexUrlDecoder.py 0 โ†’ 100644
  View file @b56f9ef
  1 +# Written by @JamesHabben
  2 +# https://github.com/JamesHabben/MalwareStuff
  3 +
  4 +# 2015-01-27 Slight modifications from Philippe Lagadec (PL) to use it from olevba
  5 +
  6 +import sys
  7 +
  8 +def DridexUrlDecode (inputText) :
  9 + work = inputText[4:-4]
  10 + strKeyEnc = StripCharsWithZero(work[(len(work) / 2) - 2: (len(work) / 2)])
  11 + strKeySize = StripCharsWithZero(work[(len(work) / 2): (len(work) / 2) + 2])
  12 + nCharSize = strKeySize - strKeyEnc
  13 + work = work[:(len(work) / 2) - 2] + work[(len(work) / 2) + 2:]
  14 + strKeyEnc2 = StripChars(work[(len(work) / 2) - (nCharSize/2): (len(work) / 2) + (nCharSize/2)])
  15 + work = work[:(len(work) / 2) - (nCharSize/2)] + work[(len(work) / 2) + (nCharSize/2):]
  16 + work_split = [work[i:i+nCharSize] for i in range(0, len(work), nCharSize)]
  17 + decoded = ''
  18 + for group in work_split:
  19 + # sys.stdout.write(chr(StripChars(group)/strKeyEnc2))
  20 + decoded += chr(StripChars(group)/strKeyEnc2)
  21 + return decoded
  22 +
  23 +def StripChars (input) :
  24 + result = ''
  25 + for c in input :
  26 + if c.isdigit() :
  27 + result += c
  28 + return int(result)
  29 +
  30 +def StripCharsWithZero (input) :
  31 + result = ''
  32 + for c in input :
  33 + if c.isdigit() :
  34 + result += c
  35 + else:
  36 + result += '0'
  37 + return int(result)
  38 +
  39 +
  40 +# DridexUrlDecode("C3iY1epSRGe6q8g15xStVesdG717MAlg2H4hmV1vkL6Glnf0cknj")
  41 +# DridexUrlDecode("HLIY3Nf3z2k8jD37h1n2OM3N712DGQ3c5M841RZ8C5e6P1C50C4ym1oF504WyV182p4mJ16cK9Z61l47h2dU1rVB5V681sFY728i16H3E2Qm1fn47y2cgAo156j8T1s600hukKO1568X1xE4Z7d2q17jvcwgk816Yz32o9Q216Mpr0B01vcwg856a17b9j2zAmWf1536B1t7d92rI1FZ5E36Pu1jl504Z34tm2R43i55Lg2F3eLE3T28lLX1D504348Goe8Gbdp37w443ADy36X0h14g7Wb2G3u584kEG332Ut8ws3wO584pzSTf")
  42 +# DridexUrlDecode("YNPH1W47E211z3P6142cM4115K2J1696CURf1712N1OCJwc0w6Z16840Z1r600W16Z3273k6SR16Bf161Q92a016Vr16V1pc")
... ...
oletools/thirdparty/DridexUrlDecoder/LICENSE.txt 0 โ†’ 100644
  View file @b56f9ef
  1 +DridexUrlDecoder.py is published by James Habben (@JamesHabben)
  2 +on https://github.com/JamesHabben/MalwareStuff
  3 +without explicit license.
0 4 \ No newline at end of file
... ...
oletools/thirdparty/DridexUrlDecoder/__init__.py 0 โ†’ 100644
  View file @b56f9ef